Creating and Exporting an Institutional Recovery Key

To use an institutional recovery key, you must first create and export a recovery key using Keychain Access.

You can export the recovery key with or without the private key. Exporting with the private key allows you to store it in Jamf Pro. If you export without the private key, you must store it in a secure location so you can access it when needed.

Note : You cannot use an institutional recovery key with a private key to activate FileVault Disk Encryption using a configuration profile in Jamf Pro. You must create and deploy the disk encryption configuration using a policy in Jamf Pro.

Creating and Exporting an Institutional Recovery Key with the Private Key

  1. On an administrator computer, open Terminal and execute the following command:

    sudo security create-filevaultmaster-keychain /Library/Keychains/
    FileVaultMaster.keychain
  2. When prompted, enter a password for the new keychain when prompted.

  3. To unlock the keychain, open Terminal and execute the following command:

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
  4. Perform a backup of the keychain and save it in a secure location.

  5. Open Keychain Access.

  6. From the menu bar, choose "Add Keychain" from the File pop-up menu. Then, add the FileVaultMaster.keychain file located in /Library/Keychains/.

  7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading.

  8. Verify that a private key is associated with the certificate.

    images/download/attachments/19532006/FileVault_KeychainAccess1.png

  9. Select the certificate and the private key.

  10. From the menu bar, choose "Export Items" from the File pop-up menu. Then, save the items as a .p12 file.
    The .p12 file is a bundle that contains both the FileVault Recovery Key and the private key.

  11. Create and verify a password to secure the file, and then click OK.
    You will be prompted to enter this password when uploading the recovery key to Jamf Pro.

  12. Quit Keychain Access.

  13. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time. Without the keychain, you will not be able to decrypt the computer.

The FileVault Recovery Key and the private key are saved as a .p12 file in the location you specified.

Creating and Exporting an Institutional Recovery Key without the Private Key

  1. On an administrator computer, open Terminal and execute the following command:

    sudo security create-filevaultmaster-keychain /Library/Keychains/
    FileVaultMaster.keychain
  2. Enter a password for the new keychain when prompted.
    A keychain (FileVaultMaster.keychain) is created in the following location:
    /Library/Keychains/

  3. Unlock the keychain by opening Terminal and executing:

    security unlock-keychain /Library/Keychains/FileVaultMaster.keychain
  4. Open Keychain Access.

  5. From the menu bar, choose "Add Keychain" from the File pop-up menu. Then, add the FileVaultMaster.keychain file located in /Library/Keychains/.

  6. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the Category heading.

  7. Select the certificate. Do not select the private key associated with the certificate.

    images/download/attachments/19532006/FileVault_KeychainAccess2.png

  8. From the menu bar, choose "Export Items" from the File pop-up menu. Then, save the recovery key as a .pem file or .cer file.
    You will need to upload this file to Jamf Pro when creating the disk encryption configuration.

  9. Quit Keychain Access.

  10. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted data at a later time.

The FileVault Recovery Key is saved as a .cer file or a .pem file in the location you specified.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.